A programmable execution service (“PES”) provides computing resources for executing applications on a permanent or an as-needed basis. The computing resources provided by a PES may include various types of resources, such as data processing resources, data storage resources, data communication resources, and the like. Each type of computing resource may be general-purpose or may be available in a number of specific configurations. For example, data processing resources may be available as virtual machine instances (“instances”). The instances may be configured to execute applications, including World Wide Web (“Web”) servers, application servers, media servers, database servers, and the like. Data storage resources may include file storage devices, block storage devices, and the like. The resources provided by a PES can typically be purchased by a customer of the PES and utilized according to various financial models.
Instances executing within a PES may be compromised in various ways. For instance, a malicious attacker might gain control over one or more instances executing within a PES by exploiting vulnerabilities within an operating system or application programs executing on the instances. Once the attacker has gained control over the instances, the attacker might configure the instances to engage in various types of undesirable computing activity. For example, the instances might be programmed to send unsolicited bulk electronic mail messages (“UBE” or “SPAM”), to perform distributed denial of service (“DDOS”) attacks, to host undesirable World Wide Web (“Web”) sites or other content, or to perform other types of undesirable computing activity. It can be difficult to detect instances executing in a PES that are performing this type of undesirable computing activity.
It is with respect to these and other considerations that the disclosure made herein is presented.